Can KAVACH be deployed in a customer-controlled environment?

Yes. The customer-controlled desktop workspace keeps KAVACH on the engineering team's own machines. The on-premise model keeps KAVACH inside the customer's network and storage. The customer-dedicated EU VPC option is single-tenant and provisioned per customer.

Where is the EU VPC hosted?

The customer-dedicated VPC option is hosted in an EU region. Specific region selection within the EU can be discussed under the deployment agreement.

Can KAVACH run in an air-gapped environment?

The on-premise model is the closest fit. Specific air-gap capability depends on the AI configuration the programme selects — manual and deterministic workflows do not require external connectivity. Discuss specific air-gap requirements with the engineering team.

Does Agnile have administrative access to customer deployments?

Administrative access depends on the deployment model. In customer-controlled and on-premise deployments, the customer is the administrator. In the customer-dedicated EU VPC option, Agnile administers the infrastructure under an explicit agreement with customer-defined access boundaries.

← Trust Center

TRUST · DEPLOYMENT

KAVACH deployment models

Deployment options include a customer-controlled desktop workspace, an on-premise model, and a customer-dedicated cloud VPC in the EU. Sensitive vehicle-architecture data is designed to stay inside the customer-defined boundary.

THREE OPTIONS, ONE PRINCIPLE

Each KAVACH deployment model places different operational responsibility on the customer and on Agnile. All three are designed around the same principle: sensitive vehicle-architecture and cybersecurity programme data stays inside the customer-defined boundary.

DEPLOYMENT OPTIONS

Pick the model that fits the programme

OPTION 01

Customer-controlled desktop workspace

Who it’s for: Individual engineers, small programmes, and early evaluation. Inherits the customer's own endpoint security policy.
Data location: On the engineering team's own machines. No KAVACH data leaves the customer's endpoint unless the customer chooses to export it.
AI option: Manual and deterministic modes are available locally. AI-assisted features require connectivity to a configured inference endpoint or can be disabled.
Administered by: Customer
Isolation: Per-engineer environment. No multi-tenant sharing.

OPTION 02

On-premise deployment

Who it’s for: Programmes with their own GPU infrastructure or strict on-network operating requirements.
Data location: Inside the customer's network. Architecture data, TARA records, and Cybersecurity Case artefacts stay on customer-managed storage.
AI option: Manual, deterministic, and AI-assisted modes can all run inside the customer's network when GPU infrastructure is available. AI-assisted workflows can be configured or disabled per programme.
Administered by: Customer (with Agnile engineering support as scoped)
Isolation: Operates inside the customer's network controls. Customer access policies apply to KAVACH the same as any other internal application.

OPTION 03

Customer-dedicated EU cloud VPC

Who it’s for: Programmes that prefer managed infrastructure but still need scoped, single-tenant separation.
Data location: EU region. The VPC is provisioned per customer and is not shared with other tenants.
AI option: AI-assisted, deterministic, and manual modes are all supported. AI workflows can be configured or disabled per programme.
Administered by: Agnile under explicit agreement, with customer-defined access boundaries.
Isolation: Single-tenant VPC. Cross-customer data flow is not part of the architecture.

CUSTOMER-DEFINED BOUNDARY

What stays inside the boundary

The customer-defined boundary is the operational perimeter the customer establishes around KAVACH for a given programme. In customer-controlled and on-premise deployments, this is typically the customer’s endpoint or network. In the customer-dedicated EU VPC option, this is the single-tenant VPC under the customer’s engagement.

Architecture inputs, TARA records, attack paths, controls, Cybersecurity Case artefacts, and operational metadata are designed to stay inside the customer-defined boundary unless the customer explicitly exports or shares them.

FAQ

Deployment FAQ

Which deployment fits your programme? We can map it together.

Bring the constraints — air gap, region, identity provider, GPU availability, customer environment — and the engineering team will walk through which deployment option fits and where the trade-offs are.

See KAVACH On Your Architecture

Talk to an Engineer